The Office for Civil Rights (OCR) announced yesterday that it has settled five investigations in its HIPAA Rights to Access Initiative (Initiative), which it announced would be an enforcement priority for it starting in 2019. The Initiative is “to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.”

The addition of the five recent settlements brings the total to seven for OCR’s enforcement of the Initiative. The OCR’s press release states that the recent settlement involve five entities: Housing Works, Inc., All Inclusive Medical Services, Inc., Beth Israel Lahey Health Behavioral Sciences and King MD.

Housing Works has agreed to pay the OCR $38,000 and to adopt a corrective action plan as a result of a complaint by an individual that it failed to provide him with a copy of his medical records. OCR provided technical assistance to Housing Works and closed the complaint. A month later, the individual complained to the OCR that Housing Works had still not provided the records to him. OCR started an investigation and determined that a violation had occurred. The individual received his records three months later.

All Inclusive Medical Services, Inc. (AIMS) settled the potential violations of HIPAA with a payment of $15,000 to OCR and to adopt a corrective action plan. In that case, OCR received a complaint from an individual that AIMS refused to give her a copy of her records. As a result of the OCR’s investigation, AIMS sent the individual her medical records two years after the initial complaint.

Beth Israel Lahey Health Behavioral Service (BILHBS) has settled allegations of failing to provide access to records by paying $70,000 to the OCR and adopting a corrective action plan. The allegations against BILHBS is that a personal representative of a patient requested the medical records of her father, and BILHBS failed to provide the requested medical records, which OCR indicated was a potential violation of the HIPAA right of access standard. Following the OCR’s investigation, the records were sent to the personal representative eight months after they were requested.

King MD, a small provider of psychiatric services, has agreed to pay the OCR $3,500 and to adopt a corrective action plan. OCR received a complaint that King MD failed to respond to a request for access to medical records in August of 2018. OCR provided technical assistance to King MD, but the individual complained in February of 2019 that she still had not been provided with her medical records. OCR started an investigation and determined that the failure to provide access to the records was a potential violation of the HIPAA right of access standard. The patient received her medical records in July 2020.

Finally, Wise Psychiatry, PC, a small provider that provides psychiatric services, has agreed to pay the OCR $10,000 and to adopt a corrective action plan. The OCR received a complaint that Wise failed to provide a personal representative with access to his son’s medical records. The OCR provided technical assistance and closed its investigation. Unfortunately, OCR received a second complaint from the individual that he had not received the records, so OCR initiated an investigation and the OCR found that the “failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Wise Psychiatry sent the personal representative his son’s medical records in May 2019.”

Messages from these settlements—

  • Comply with the HIPAA right of access requirements
  • If the OCR provides technical assistance, listen, follow and comply with the HIPAA right of access requirements
  • If the right of access requirement is not followed after the OCR provides technical assistance, and the patient complains to the OCR again, it is not likely to close the complaint again and there is a high risk of having an investigation opened and an eventual monetary settlement with the OCR.

The OCR publicly stated on multiple occasions that it would focus on enforcement of the right of access requirements starting in 2019, so covered entities may wish to review processes in place around patients’ access to records as review of compliance is timely in light of these recent settlements.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.